Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 7
Scenario Planning and Analyses

Introduction

In Chapter 2, we briefly introduced the concept of fault tree analysis (FTA) and network analysis for evaluation of risks and consequences. The purpose of this chapter is to dig down further into those subjects and other subjects to demonstrate practical analytical techniques for scenario planning: how to analyze a network and how to perform security and hazard analysis by various methods. In this section, we will analyze the formulation and consequence of various types of incidents and demonstrate some of the practical ways to eliminate or reduce their consequences. We will look at fault tree and network analysis in a bit more detail, then move on to the requirements of the US Department of Homeland Security (DHS), and finally consider consequence analyses and discuss the methods of evaluation and some of the software available for that analyses.

In this chapter, we will go further into specific methods to discuss risk assessment and hazard analysis techniques and disaster prevention as it applies to process operations and plant security and security management. It should be noted that in many instances, there is a substantial overlap between physical security and plant safety. No, we are not talking about worker safety, but process safety. The safety of the process has inherent implications that can affect the plant as a whole, and in the event of a disaster or serious process-related accident, the plant security force will play a major role in the response and in providing security to the plant and the personnel during and after the incident.

The analytical techniques between plant safety and plant security are often identical, and the principal distinction is that plant security is often outward directed, whereas plant safety is more internally focused on the plant operations. However, the distinction may become moot when there is either a serious plant accident, a sabotage, or a damaging attack from outside the plant.

When we get to the later portions of this chapter, those dealing with contingency planning and emergency response, we will discuss the outlines for emergency response from the perspective of the security force. The types and kinds of response are dictated by the incident, and the response must be coordinated by trained individuals who have the plant, its people, and the community uppermost in mind.

Before we start the discussion of specific analytical methods, a preliminary comment is offered. Fault tree, failure modes and effects, Bayesian network analysis, and some of the HAZOPS techniques are all related. Saying one is substantially different than another is somewhat misleading as most have a similar purpose and end result. The differences are in how the result is achieved. Most of the techniques use a similar analytical form, and each analyzes it slightly differently. The amount of work involved in development of a good analysis is directly dependent upon the effort involved, and the assumptions used in its development. The one fundamental thing to remember about the analysis is that while it looks like solid stuff, it is only as good as the assumptions that go into it. No amount of risk analysis will prevent incidents or occurrences of bad outcomes if the plant management does not follow through on the implementation of the recommendations of the risk management plan.

In this regard, one has to look no further than three of the largest industrial accidents in recent times: Chernobyl, BP Texas City Refinery Explosion, and Bhopal, India. Each of these is well documented in the chemical and risk management literature and has been extensively studied. The commonality of each of the disasters is related to multiple failures and a management disregard for the potential for those disasters. Disasters seldom come from a single event but are the result of management failures and multiple sequential violations of common sense and safety procedures.

In Bhopal, maintenance and safety procedure failures that led to a critical blind flange not being installed, coupled with decommissioning and shutdown of a methyl isocyanate cooling unit, and the temporary shutdown of the vent gas scrubber were contributing causes that led to the release that reportedly killed up to 7000 people in Bhopal, India.

In Chernobyl, Ukraine, the decision by a couple of electrical engineers, not nuclear engineers, to run a reactor spin-down test with the deliberate overriding of six layers of warning alarms, coupled with the lack of senior management to supervise the test, led to the Chernobyl disaster. According to an account by Rushworth Kidder, who investigated the accident, the test could have been conducted on a nonnuclear reactor with greatly reduced consequences.¹

The third incident was the loss of life due to the explosion and fire at the BP Texas City Refinery. The US Chemical Safety Board found a number of safety and process violations that were contributory to the incident, but key among them was the lax safety culture at the refinery.²

FTA, Markov Chains, and Monte Carlo Methods

Earlier, we discussed and briefly outlined the preparation of a fault tree analysis. Implicit in the preparation of an FTA is the assumption that we can quantify the probabilities for success or failure for each of the branches or events. Often, we cannot judge the probabilities for such successes or failures, and we have to look at other methodologies that would enable the likelihood of the larger events. This is one way of evaluating a “worst-case scenario.”

Fuzzy fault trees

In Chapter 2, we described an approach to fault tree logic that used an assessed probability of an event taking place. Strict interpretation of fault trees does not assign that probability of an event as in analysis; it is either pass or fail for a fault.³ The method illustrated used probabilities to provide an assessment of the likelihood of an occurrence. A further adaptation of that method uses fuzzy logic that can also be applied to FTA, where instead of a fixed probability being assigned (in strict FTA, the probability is either 100% true or false), a range of probabilities can be applied to each element. For example, if a particular event has between a 20 and 60% likelihood of occurrence (or any other percentage between 0 and 100%), the event could be considered probable, and the fault would be conducted to the next layer of the system for further analysis. This analysis allows us to better estimate risk in an uncertain environment.⁴ The use of fuzzy logic is an improvement over the conventional “on-or-off” logic implicit in an FTA, and it uses the same analysis techniques described in Chapter 2, with the exception that it involves a lot more computation, because for each event multiple calculations are required as one steps through the calculations.

For example, if the probability for one event is between 0.2 and 0.6 (20 and 60% likely), one might have to repeat the entire set of calculations for the entire fault tree at stepped intervals—say 0.2, 0.22, 0.24,…,0.58, 0.58, and 0.60. The process would be repeated with appropriate variables on the next element. This is where computers are extremely useful in reducing repetitive and tedious calculations.

Markov chains and Bayesian analysis

Other effective ways of evaluating the likelihood of probabilities for success or failure of an attack, especially where we do not have data, are to perform a Bayesian network analysis or a Markov chain analysis. These types of analyses can be constructed considering upon the failure or reliability of various subcomponents of the plant. In these types of analysis, it is often useful to diagram a risk tree, with the probabilities for each option. In a Markov chain, each state is treated as a variable, and matrix methods are employed to describe the risk.⁵ The computations on a Markov chain can become quite complex and large, and computer methods are used to develop a risk calculation.⁶ However, if a category or type of risk is not addressed, it is unknown.

The Bayesian network analysis is one of the most powerful analytical tools, as it determines not only direct probabilities but also examines and projects the posterior probabilities based upon the existing data. The changes in any one subcomponent of the plant can then be examined to determine the impact, likelihood of success, or failure on other components of the plan data and model. This technique is extremely powerful but requires a working knowledge of statistics, and it is computationally intensive as well.

The technique may be too sophisticated for many companies, because the most difficult task in a Bayesian analysis is the establishment of the initial condition tables to make sure that they reflect the appropriate values and relationships. The network is then examined to insure that there are no conditional faults and the data are fed into a computer to produce the probabilities. This method is computationally similar to the Markov chain analysis.

There are several very good Bayesian network programs and texts⁷ as cited in the section “Notes”. The assumptions and the setup of the risk decision tables are key to the analytical technique. AgenaRisk is a good program that is free with the purchase of the textbook Risk Assessment and Decision Analysis with Bayesian Networks, by Fenton and Neil (CRC Press). Other programs include Netica (a few hundred dollars from www.norsys.com); GeNIe & Smile is freeware from the University of Pittsburgh (www.genie.sis.pitt.edu), and SamIam (freeware from http://reasoning.cs.ucla.edu/samiam/) is also worth considering.

Other Complimentary Techniques

In order to evaluate the likelihood of success or failure of individual security components, and to set up a preliminary analysis of failure modes, it is often wise to consult the American Society for Quality website, www.asq.org. They have free programs that enable the evaluation of failure modes of component devices, and these failure mode analyses can be applied directly to security elements and do much of the initial work in setting up an analysis. This type of analysis is called failure modes and effects analysis, or FMEA for short.

Fishbone (Ishikawa) diagrams

Two of the easiest to use and understand FMEAs are the fishbone diagram (ISHIKAWA diagram) and the Pareto chart. The fishbone diagram should be applied where you are attempting to identify possible causes for a problem or possible methods of attack or interference. The fishbone diagram tends to help avoid falling into ruts by the organization of the diagram. A sample fishbone diagram is shown below—prepared using the free software and guidance from http://www.fishbonediagram.org/template. The website also has a fishbone diagram template for PowerPoint slides. Both are free for downloading. We have followed the basic suggestions for fishbone diagrams and have considered the elements of man power, methods, machines, metrics, materials, and minutes (time) in the diagram below.

In preparing a fishbone diagram, it is important to use a team approach and group and identify possible causes. When possible causes have been identified, group them under representative headings, and then list the individual cases on each group. No idea is too unimportant to consider, and when the diagram is completed and the causes are identified, then review the diagram and highlight the most important causes.

Example

The example above is for security failure at a chemical plant that caused a successful attack on a motor control center and an operation control station (Fig. 7.1). The attackers came into the plant through a remote corner of the fence near the tank farm. They were able to be unobserved for what is estimated as an hour. In that time, they managed to enter an unlocked door in a motor control room and dump nails and sand into motor vents and into oil receptacles causing a number of large motors to burn out. They also compromised an unattended operator’s control station, shutting down some safety interlocks and turning on pumps that they had sabotaged. The result was several tens of thousands of dollars in direct repair, plus many times that in lost production.

c7-fig-0001 — **Figure 7.1** Fishbone diagram of a successful attack on the XYZ chemical company.

In the analysis, manpower, metrics, methods, machines, time (minutes), and materials are categories for failures of the security system.

In each case, the question of “Why does this happen?” must be answered. Subcauses, if any, are shown as branches of the principal element categories.

A different type of analysis for a plant attack might include the basic question of “How is the plant attacked?” The principal ribs of the fishbone could be environment, weapons, communications, cyber, transportation, storage, raw materials, supervisory controls, laboratory, and pipelines. Subcategories might include such items under raw materials: bomb in shipment, deliberate contamination of feedstock, receiving accidents, storage accidents, etc. The point is to be as thorough as possible and examine each possible method or means until the chart is complete. In some instances, more than one chart may be required for complete analyses.⁸ The ASQ website also has a free download Excel© spreadsheet with the detailed Ishikawa or fishbone diagram.

Pareto charts

A Pareto chart is a different type of analysis and may be useful in analysis of the number and type of security faults occurring at a facility. If, for example, a number of security and/or safety violation incidents occurred, one would have to categorize them with respect to the type. Each type has to have a common measure over a definite period of time, such as frequency. Categories may be something like fence false alarms, sensor failures, camera failures, personnel incidents, etc. The results are converted to a bar chart with the item with the greatest frequency on the left, and the others arranged in decreasing order. A sample Pareto bar chart is shown in Figure 7.2.

c7-fig-0002 — **Figure 7.2** Pareto chart on security failures.

Sample of Initial Analysis

The following tables illustrate one of the types of setup for a fault tree or Markov chain or Bayesian network analysis for a plant shutdown for a major refinery or chemical plant. It is a starting point, not the finished example because it shows categories of major systems that could fail and cause a plant shutdown. The top level might be general screening categories that could cause a plant-wide failure or emergency leading to shutdown. In reality, most plants are significantly more complex than the example indicates, but it serves to list a few of the categories for further consideration and analysis (Table 7.1).

Table 7.1 Plant shutdown risk analysis table of likely causes

Plant shutdown
Supply/storage problems	Electrical problems	Control problems	Process problems	Exterior problems
Pipeline	Primary electrical power	Computer systems	Thermal (boiler)/steam	Security—serious perimeter breach
Incoming storage tanks	Secondary electrical power	Controller failures	Fire	Sabotage
Finished product storage tanks	Backup electrical power	Control room problems	Explosion	Bomb
Pipeline	Motor control center failures	Faulty sensors	Pipe rupture (major)	Explosions
Port/shipping problems	Major motor driver failures (localized)	Maintenance issues/poor maintenance	Valve failures	Attack (rifle, grenade)
		Strike/lockout/labor unrest	Pump failures	Construction, construction accidents
			Cooling water	Weather—flood/hurricane/tornado
			Major process reactor failures	Earthquake
			Major environmental releases (gas or water)	Civil disobedience

The table is designed to catch the major issues and is therefore very general. There are many other specific situations that can create a plant shutdown and a number of subcategories below each of those listed that can create a situation leading to plant shutdown. The table does not seek to address overlapping areas but is a first categorization that identifies some of the problems that can create a shutdown.

In any of the columns, the list can be further subdivided to give greater specificity with regard to the issues listed. As an example, two of the columns from the table above are further categorized in Table 7.2.

Table 7.2 Plant shutdown risk analysis table: Additional detail

Supply/storage problems	Exterior problems
Pipeline	Security—serious perimeter breach
Incoming storage tanks	Sabotage
Finished product storage tanks	Bomb
Pipeline	Explosions
Port/shipping problems	Attack (rifle, grenade)
	Construction, construction accidents
	Main plant maintenance
	Weather—flood/hurricane/tornado
	Earthquake
	Civil disobedience

Under the heading Supply Problems, there are a number of categories that come to mind that would require further analysis:

Supply problems

Pipeline problems
- Pipeline leak (PL)
- Pipeline break (PB)
- Pipeline corrosion (PC)
- Pumping station failure (PSF)
- Pumping station leak (PSL)
Incoming storage tanks
- Tank overfill/spill (TOs)
- Tank collapse (TC)
- Tank rupture (TR)
- Tank valve failure (TVF)
- Tank roof problems (TRp)
- Tank major spill (TMS)
- Tank leaks (TL)
- Tank fire (TF)
- Tank capacity problems (TCp)
Finished product storage tanks
- Lack of capacity (FPSLk)
- Tank overfill/spill (FPSOf/S)
- Tank rupture (FPSTR)
- Tank collapse (FPSTC)
- Contamination problems (FPSCon)
- Valving problems (FPV)
- Leaks (FPL)
- Spills (FPS)
- Fire (FPFr)
Port/shipping problems
- Dock problems (Dk)
- Shipping/arrival problems (SHAr)
- Loading/unloading problems (SHLd)
- Spills (SHSp)
- Sabotage (SABO)
- Pipeline/storage/port problems (SHPrt)
- Dock security issues (SHDkSec)
Exterior
- Security: Serious perimeter breach problems
  - Unauthorized shipments in plant (EUs)
  - Unauthorized vehicles in plant (EUv)
  - Unauthorized personnel in plant (EUp)
  - Personnel in unauthorized or restricted areas (EUpr)
  - Suspicious packages (ESP)
  - Weapons in the plant (EW)
  - Sabotage: critical controls disabled (SCon)
  - Spoofing of key sensor and control systems (SSpf)
  - Cyber attack (SCA)
  - Physical disabling of motor control centers (SMCC)
  - Unauthorized or improper materials in process feed systems (SQA)
  - Bomb: bomb or explosive device within the plant perimeter or nearby the fence line (B)
  - Explosions: explosions (EXP) or serious fires in adjacent properties (FIRE)
  - Attack: attack by a rifle, grenade, mortar, or other missile (ATK)
- Construction
  - Construction activities during plant turnaround (CONTU)
  - New construction activities during normal operations (CONNO)
  - Construction accidents leading to fatalities or mass casualties (CONAC)
  - Significant damage to existing structures from new construction or repair activities (CONDAM)
- Weather
  - Flood (FLD)
  - Tornado (TOR)
  - Heavy snow or ice (SNO)
  - Typhoon or hurricane (HUR)
  - Earthquake: Earthquake (EQ)
  - Tsunami (TSN)
Civil disobedience: Civil disobedience impacts or threatens the plant or plant personnel (CIVIL)

In each of these general categories, we have a number of subcategories, and any or all of these events could lead to a plant shutdown if conditions are right. The next step is to begin to categorize the likelihood and severity of the events so that we can get a general handle on the likelihood of their occurrence and form a general opinion on the degree of peril that the plant is in. And, of course, some of these events will come and go and have their own importance: for example, consider the earthquake, flood, or tsunami.

These incidents could be further classified according to their severity 1 and 2, where 1 is a significant event and 2 is a minor problem that could affect production.

Examples of the foregoing include:

Pipeline leak
- Serious—requiring extensive repair and shutdown for a number of days
- Minor—rupture repaired within 12 hours
Pipeline break
- Large pipeline break ~30 cm or larger requiring days or weeks to repair
- Smaller pipeline break ~15 cm or smaller requiring less than 2 days to repair
Pipeline corrosion
- Significant corrosion requiring 10+ meters of repair/replacement
- Minor corrosion requiring under 1 m of repair or replacement
Pumping station leak
- An event that generates a leak causing significant contamination of the environment of over YY cubic meters and requiring a cleanup costing more than $XX
- A minor spill or leak causing a leak or environmental contamination less than YY cubic meters and/or costing less than $XX for cleanup

Even with the simplest categorization using the 1s and 2s for severity, we now have a single branch of a fault tree that has five levels and close to 60 branches and 120 conditions that should be evaluated for severity and probability. By comparison, the BP Deepwater Horizon Spill Fault Tree Investigation⁹ has four principal areas of investigation and several hundred individual potential causes. It is worthy of an examination.

Failure Modes and Effects Analysis

Failure Modes and Effects Analysis (FMEA) is very similar to FTA, and it also contains some of the elements of bow-tie analysis: the analysis focuses on what can go wrong and how it can go wrong.

In setting up an FMEA, it is best to start small, with individual systems or subsystems, and not get too large because the size introduces complexity into the analysis and there is likelihood that the FMEA effort will get derailed or lost in the details and not reach a satisfactory conclusion. An FMEA is a dedicated, interdisciplinary team effort. The different disciplines are necessary to consider all the various failure modes.

The first step starts with the process selection. The process must be small enough to be manageable and have few enough variables to prevent it from becoming overwhelming. A typical security-related process might be the evaluation of the fencing and alarm systems, or the security of the dock facilities, or the security of the external pipeline systems rather than the internal pipeline systems. The reason for this selection of the latter category is the ease of identification and purpose, and in all likelihood, the pipeline will not get involved in identifying it with plant piping that has various sizes and various starting and end points.

Next, select the team for evaluation. In the example of the pipeline, the team should include designers, maintenance personnel, security personnel, the IT department, and the security department as well as someone from finance and accounting. While the latter may not be directly useful in the FMEA, they should be able to provide input as to the likelihood that financial resources and information would be available to implement solutions and to evaluate the potential costs of failures of specific magnitudes. In this instance, it might also be useful to involve the construction department (different from maintenance) because they can provide input on what may be required to facilitate repairs when needed. The team should also include a secretary (one of the team members or an outside consultant) who takes notes and has the technical background to understand the issues and record them properly for evaluation and record keeping.

Next, diagram all the steps in the process. Work out a flow sheet and identify the steps sequentially so that they can be easily referred to in the analysis phase. This task is not as easy as it may first appear. The final diagram for analysis should include all the inputs and control systems. The chemical engineering community refers to this as a process and instrumentation drawing, or a P&ID, and that is a good starting place. But it should be supplemented and simplified so that materials entering the process and their quantities and sources are identified. The outputs should be similarly identified. The final product should be agreed to by the team.

Following this, the drawing should be analyzed by the team to indicate all the areas where something can go wrong or where there may be a critical fault. The list should include minor and infrequent faults. This will generate a list of potential problem areas and hazards. This list should be tabulated. One type of appropriate analysis form is shown in Table 7.3.

Table 7.3 FMEA worksheet (more extensive forms are available for free download from ASQ.org)

Incident number	Type of failure	Failure condition	Effects of failure	Probability of occurrence	Probability of timely detection	Severity	Risk profile number	Actions to reduce risk
1	Alarm	False alarm	Indicated security breach in fence	Frequent, daily until repair is made	Detection within 10 minutes	Important	6—false alarms	Fencing and sensing repair
2	Pump and valve	Failed open	Loss of 55,000 barrels of product	Rare but should be preventable	Shift change (8 hours)	Critical	12—plant spill	Institute lockout/tagout program to prevent recurrence
3
4
5

The form will stretch on for a number of pages if properly executed. The team should identify the failure causes and effects. An arbitrary ranking on a scale of 1–10 should be used to indicate the severity of the incident and the likelihood of the occurrence and the likelihood of detection of the incident before it occurs! The same numerical scale for likelihood of occurrence, likelihood of detection, and severity of occurrence should be used, and the team agreement is a consensus activity. The risk profile number is obtained by multiplying the occurrence, detection, and severity numbers together, yielding a number between 1 and 1000.

The final column of action to reduce recurrence of failure should also be a consensus activity. There will be a number of items and actions, and it may be useful to record the solutions on separate sheets in a notebook, as there are sure to be much more than one solution for each item. The appropriateness of each solution should be highlighted, and the expansion or elucidation of the ideas should be cross-referenced to the form. The final report on the FMEA committee should be prepared and summarized in an indexed and clearly worded report with recommendations highlighted in bullet format with proposed costs and alternatives clearly defined.¹⁰

As an example, we have filled out the first two lines of the table to illustrate the types of factors to be considered.

In the first line, a simple sensor failure is providing a signal that indicates that there is a breach in the fence. The severity or criticality is low to moderate because there are other indicators and visual observation of the area in question.

In the second line, maintenance had removed a pump from a tank, but did not lock out and de-energize the electrical fittings. Maintenance also neglected to notify operations that the pump was out of service. The operator opened the valve and the spill happened. It could have been prevented by simple lockout–tagout procedures.

DHS Analysis and Plans

The point of this section is to illustrate how the DHS has adopted the general principles involved in development of a security plan and to briefly outline the elements that comprise their requirements for security. Their approach to chemical plant security is entirely consistent with good practice as outlined in this book.

After the attack on the World Trade Center on September 11, 2001 (9/11/2001), the US DHS was formed on September 22, 2001, and, with the passage of the Homeland Security Act of 2002, went into high gear with regard to all types of security systems in the United States and particularly the chemical industry sector. Their program is the Chemical Facility Anti-Terrorism Standards found in the US Code of Federal Regulations 6 CFR 27.215 and 6 CFR 27.235. The program is essentially divided into four tiers based upon the type of chemicals and the volume of chemicals produced as listed in 6 CFR Part 27 (FR Vol. 72, No. 223, Tuesday November 20, 2007, pp. 65421–65435). This is known as the Top Screen Process. Any company having an inventory greater than the screening threshold will fall into tier 1, 2, 3, or 4. Tier 1, 2, or 3 facilities must develop and submit a security plan along the following guidelines. Starting at 6 CFR 27.225, the risk-based security standards are to be implemented as follows:

§27.225 site security plans

The site security plan must meet the following standards:
1. Address each vulnerability identified in the facility’s security vulnerability assessment, and identify and describe the security measures to address each such vulnerability.
2. Identify and describe how security measures selected by the facility will address the applicable risk-based performance standards and potential modes of terrorist attack including, as applicable, vehicle-borne explosive devices, waterborne explosive devices, ground assault, or other modes or potential modes identified by the department.
3. Identify and describe how security measures selected and utilized by the facility will meet or exceed each applicable performance standard for the appropriate risk-based tier for the facility.
4. Specify other information the assistant secretary deems necessary regarding chemical facility security.
Except as provided in §27.235, a covered facility must complete the site security plan through the CSAT process or through any other methodology or process identified or issued by the assistant secretary.
Covered facilities must submit a site security plan to the department in accordance with the schedule provided in §27.210.
Updates and revisions:
1. When a covered facility updates, revises, or otherwise alters its security vulnerability assessment pursuant to §27.215(d), the covered facility shall make corresponding changes to its site security plan.
2. A covered facility must also update and revise its site security plan in accordance with the schedule in §27.210.
A covered facility must conduct an annual audit of its compliance with its site security plan.

§27.230 Risk-based performance standards

Covered facilities must satisfy the performance standards identified in this section. The assistant secretary will issue guidance on the application of these standards to risk-based tiers of covered facilities, and the acceptable layering of measures used to meet these standards will vary by risk-based tier. Each covered facility must select, develop in their site security plan, and implement appropriately risk-based measures designed to satisfy the following performance standards:
1. Restrict area perimeter. Secure and monitor the perimeter of the facility.
2. Secure site assets. Secure and monitor restricted areas or potentially critical targets within the facility.
3. Screen and control access. Control access to the facility and to restricted areas within the facility by screening and/or inspecting individuals and vehicles as they enter, including:
  1. Measures to deter the unauthorized introduction of dangerous substances and devices that may facilitate an attack or actions having serious negative consequences for the population surrounding the facility
  2. Measures implementing a regularly updated identification system that checks the identification of facility personnel and other persons seeking access to the facility and that discourages abuse through established disciplinary measures
4. Deter, detect, and delay. Deter, detect, and delay an attack, creating sufficient time between detection of an attack and the point at which the attack becomes successful, including measures to:
  1. Deter vehicles from penetrating the facility perimeter, gaining unauthorized access to restricted areas or otherwise presenting a hazard to potentially critical targets
  2. Deter attacks through visible, professional, well-maintained security measures and systems, including security personnel, detection systems, barriers and barricades, and hardened or reduced value targets
  3. Detect attacks at early stages, through countersurveillance, frustration of opportunity to observe potential targets, surveillance and sensing systems, and barriers and barricades
  4. Delay an attack for a sufficient period of time so to allow appropriate response through on-site security response, barriers and barricades, hardened targets, and well-coordinated response planning
5. Shipping, receipt, and storage. Secure and monitor the shipping, receipt, and storage of hazardous materials for the facility.
6. Theft and diversion. Deter theft or diversion of potentially dangerous chemicals.
7. Sabotage. Deter insider sabotage.
8. Cyber. Deter cyber sabotage, including by preventing unauthorized on-site or remote access to critical process controls, such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), process control systems (PCS), industrial control systems (ICS), critical business system, and other sensitive computerized systems.
9. Response. Develop and exercise an emergency plan to respond to security incidents internally and with assistance of local law enforcement and first responders.
10. Monitoring. Maintain effective monitoring, communications, and warning systems, including:
  1. Measures designed to ensure that security systems and equipment are in good working order and inspected, tested, calibrated, and otherwise maintained
  2. Measures designed to regularly test security systems, note deficiencies, correct for detected deficiencies, and record results so that they are available for inspection by the department
  3. Measures to allow the facility to promptly identify and respond to security system and equipment failures or malfunctions
11. Training. Ensure proper security training, exercises, and drills of facility personnel.
12. Personnel surety. Perform appropriate background checks on and ensure appropriate credentials for facility personnel and, as appropriate, for unescorted visitors with access to restricted areas or critical assets, including:
  1. Measures designed to verify and validate identity
  2. Measures designed to check criminal history
  3. Measures designed to verify and validate legal authorization to work
  4. Measures designed to identify people with terrorist ties
13. Elevated threats. Escalate the level of protective measures for periods of elevated threat.
14. Specific threats, vulnerabilities, or risks. Address specific threats, vulnerabilities, or risks identified by the assistant secretary for the particular facility at issue.
15. Reporting of significant security incidents. Report significant security incidents to the department and to local law enforcement officials.
16. Significant security incidents and suspicious activities. Identify, investigate, report, and maintain records of significant security incidents and suspicious activities in or near the site.
17. Officials and organization. Establish official(s) and an organization responsible for security and for compliance with these standards.
18. Records. Maintain appropriate records.
19. Address any additional performance standards the assistant secretary may specify.

Facilities that fall into the tier 4 requirements can submit an alternative security plan. The plans are shared with the DHS and reviewed by DHS, plus the required annual review by the company subject to the regulations.

Bow-tie Analysis

Bow-tie analysis is a graphical way of hazard or incident assessment that is applicable to specific processes. It does not lend itself well to more broad security and risk analysis, but it does have the advantage of illustrating not only the hazards and initiating events but the recovery steps as well.

The risk assessment or hazard assessment has been examined and discussed earlier. The bow-tie method is illustrated in Figure 7.3:

c7-fig-0003 — **Figure 7.3** Example of bow-tie analysis.

The bow-tie method figure above is somewhat self-explanatory. The unwanted event is placed in the center of the diagram, and threats, causes, and attacks are on the far left. Moving to the right are the control or mitigation measures, which form an upper and lower bound on the attack and tend to prevent its occurrence. On the right of the event are the recovery measures and the potential consequences. It is possible for one control or recovery measure to span more than one threat and for one recovery measure to have more than one outcome. The advantage is that the “cause and the fix” are on one format and can be compared. The disadvantage is that the level of detail about the attack and recovery may be primarily in summary form and not have sufficient detail to provide meaningful input. The detail may require supplemental sheets or plans.¹¹

Example

In the figure above, let us assume that there is a large tank of petroleum (flammable) material, and a tank of highly odorous trimethyl amine nearby. The consequences from a petroleum leak (threat A) would be fire, smoke, vapor cloud, and possibly community evacuation. Trimethyl amine is a highly odorous compound that smells like dead fish.

The nose can detect concentrations of TMA as low as 0.267 mg/m³ in air, and the compound has a high vapor pressure (1189 mm Hg@ 15°C, while water is 187.5 mm Hg@ 15°C) and will evaporate out of water, and it has a recommended exposure limit (8 hours TWA between 10 and 15 mg/m³), such that it will outgas from water. A release of the material can be both irritating and hazardous to the health of the community.¹² A release should be avoided at almost all costs.

Top-level undesired consequences are:

Community evacuation
Fire
Explosion
Community exposure to chemicals

Threat scenario A is a leak in a petroleum tank.

Threat scenario B is a leak in any part of the TMA plant.

Control measures for A:
- Continuous inspection of tanks and piping
- Periodic pressure testing of lines
- Periodic maintenance of seals and pumps
- Electrical grounding of all hoses and piping
- Fire foam for dikes around the tank
Control measures for B:
- Periodic inspection and testing of all valves and joints with electronic sniffers to detect leaks
- Use of welded steel pipes, minimizing flanges
- Regular maintenance
- Grounding of all piping
- Periodic replacement of pump seals
- Enclose plant within a structure
- Use of acid scrubber for gases from the building to reduce TMA
Recovery measures for A:
- Diking for spill control
- Vapor blanketing for diked area
- Spill control drills
- Rapid response for cleanup
- Firefighting measures
Recovery measures for B:
- Community evacuation
- Shelter in place
- Acid water spray to attempt to knock down vapor cloud
Potential consequences for A:
- Fire
- Underground contamination that needs to be cleaned up
- Expensive spill cleanup
- Loss of product
Potential consequences for B:
- Adverse long-term health effects
- Bad community relations
- Expensive decontamination of residences and properties

HAZOPS and Process Safety Management

HAZOPS is a program that is designed to deal with and assess hazardous chemical production and overall chemical safety in manufacturing and handling operations. The program is specified under US Regulations in 29 CFR (OSHA). There are several approaches to HAZOPS. The first approach is fault tree, which we have already covered. A second approach to HAZOPS is the “what if?”; a third approach is the checklist approach. Each is designed to identify process safety hazards that would include individual worker safety issues and overall plant and production safety issues in manufacturing, storage, handling, shipping, and chemical reactivity.

Some in the operations group of a plant would tend to argue that HAZOPS and PSM are the exclusive property of the engineering, safety, and management departments. However, there are a number of ways in which security has to be involved in the response to any and all incidents. Therefore, they should be included in any analyses.

The overall HAZOPS process requires a lot of information on process safety. Note specifically that the information required for an operator of a chemical facility is a complete documentation of the process, all pertinent records on reactions and corrosion, etc. and information on control limits, how to start and shut down the process, and how to restore order to the process once it gets out of control.

The entire regulations can be found in 29 CFR 1910.119 and 1910.109 under process hazard analysis (PHA) at the reference cited at the end of this paragraph.¹³

OSHA also references a number of relevant training documents that can be helpful for analysis. One is a power point document that outlines the basics of the PSM process, and the second is the checklist for auditing PSM compliance.¹⁴ A brief outline of the critical elements of the PSM process and their applicability to security concerns is as follows.

Process safety information: General

Employers must complete a compilation of written process safety information before conducting any PHA required by the standard. The compilation of written process safety information, completed under the same schedule required for process hazard analyses, will help the employer and the employees involved in operating the process to identify and understand the hazards posed by those processes involving highly hazardous chemicals. Process safety information must include information on the hazards of the highly hazardous chemicals used or produced by the process, information on the technology of the process, and information on the equipment in the process.

The approach here is to indicate the relative information for planning processes as it may relate to physical security of the plant. In the master file of the plant, available to plant security and to select management teams in the security force, the following information should be included in the emergency and security plans at the plant, where appropriate. The purpose is to provide enough information for emergency responders and guards to facilitate evacuations and/or work safely when there may be an incident in the plant.

In that regard, a planning tool such as ALOHA¹⁵ is excellent for planning purposes because it permits the evaluation of the on and off plant effects of accidental chemical releases.

PHA and HAZOPS

The PHA and HAZOPS are a process that is applicable to the process and manufacturing industries. It is primarily designed as a safety analysis tool for plant operations. There are several different ways of performing PHA process as it may apply to plant security. The applicable methods include a review of a detailed checklist prepared with regard to the process and a comprehensive analysis of the modes of failure and restoration: a “what-if” analysis that reviews the plant processes literally pipe by pipe and process, looking for methods of what can happen and/or go wrong.

For the security professional, PHA and HAZOPS have some of the same elements but with a slightly different focus. We will designate this by the SPHA.

A SPHA study identifies hazards and operability problems by identifying how the plant security system might deviate from the design intent. If a solution to a problem becomes apparent, it is recorded as part of the SPHA result, but the prime objective for the SPHA is problem identification.

SPHA studies are normally conducted during the design phase, especially when new technology or process are involved as part of the larger PHA in the plant, but can be used at almost any phase of a plant’s or security system’s life.

The PHA and SPHA is based on the principle that several experts with different backgrounds can interact and identify more problems when working together than when working separately and then combining their results. The most common form of HAZOPS study employs guide words to test the consequences of parameters deviating from design.

The objectives of an SPHA study may include as follows: (i) check the safety of a design or perimeter or remote location; (ii) check the maintainability and operability of a design or configuration and equipment; (iii) decide whether and where to build additional security measures or improvements; (iv) develop a list of questions to ask a supplier of equipment; (v) check operating and safety procedures, and test the security of an operation or part of the plant.

Additional purposes may include improvement of the safety of an existing facility through examining various elements of the security, fire, health, safety, and other divisions and their coordinated functioning in time of a plant-wide incident and verification that security instrumentation is reacting to optimum parameters and has minimized interferences.

Consequences to be considered

It is also important to define what specific consequences are to be considered if there is a security breach or nonperformance and the way it may affect employee safety, loss of plant or equipment, loss of production, liability, insurability, public safety and impact on the neighborhood surrounding the plant, and, if appropriate, environmental impacts due to incidents arising from security failures or responding to incidents dealing with plant fire, explosion, or other causes.

The SPHA team must be chosen from experienced people preferably with knowledge of a similar facility who will likely be involved with the operation of the plant and someone who is intimately familiar with the functioning of the security operations at the facility. The team leader should be chosen for his/her ability to get the team to focus on making the analysis rather than the ability to solve problems. The issues identified can be resolved after the SPHA. Depending on the scope of the SPHA, the following team assignment is suggested.

HAZOPS- or SPHA-specific guide words—simple words used to qualify or quantify the intention in order to guide and stimulate the brainstorming process and so discover deviations or failures or problems in the security function.

Note: HAZOPS reviews use specific guide words that may or may not be applicable to the security function. The use of HAZOPS guide words is suggested and may be helpful, but not mandatory because of the specialized purpose of the SPHA.

The success or failure of the SPHA review depends on several factors: (i) the completeness and accuracy of drawings and other data used as a basis for the study; (ii) the technical skills and insights of the team; (iii) the ability of the team to use the approach as an aid to their imagination in visualizing deviations, causes, and consequences; and (iv) the ability of the team to prioritize and concentrate on the more serious failures or flaws that are identified.

The following checklists are for PHA at the plant level, but plant security should play a role in the overall planning. Table 7.4 is an example of the PHA process and the security’s role in the PHA.

Table 7.4 Process hazard analysis and security’s role

Basic physical and chemical information that should be available:	This information should be applicable to the guard force in a reference manual or tables so that the planning exercises can be conducted using realistic scenarios for disaster mitigation
Toxicity
Permissible exposure limits
Physical data of chemicals and equipment
Reactivity data
Corrosivity data
Thermal and chemical stability data
Hazardous effects of inadvertent mixing of different materials
A block flow diagram or simplified process flow diagram	The block flow diagram should show the locations of critical shutoff valves and fire extinguishers, sewer covers, and spill kits
Process chemistry	The information on deviations should be summarized to inform the guard force about the type of incident and its probable cause and location
Maximum intended inventory
Safe upper and lower limits for such items as temperatures, pressures, flows, or compositions
An evaluation of the consequences of deviations, including those affecting the safety and health of employees
Material safety data sheets	In any event and in multiple places around the facility, MSDS should be posted or otherwise available to all plant employees and the guard force that would have multichemical and multilocation exposure during an incident
Material safety data sheets	The guard force should also be included in training for first responders and where necessary be instructed and trained with safety suits and equipment
Process information	This information should be summarized according to the potential major hazards. For example, high voltage, volatile chemicals, acids, bases, reactive materials, etc. should also be identified
Storage tanks	Storage tanks should be identified by type, contents, diking capacity, and drainage system, including hazards
In 1975, the Gulf Oil Refinery, near Philadelphia, PA, had a tank fire. Firefighters were standing in an adjacent diked area spraying water and fire foam on the burning tank and did not recognize that they were standing in water that had a volatile layer of oil floating on top of it. The fire foam provided an insulating blanket preventing volatilization of the floating oil. When the blanket was ruptured (cause unknown), the volatile vapors flashed and caught fire catastrophically killing eight firefighters and burning up a fire truck. See the description in Wikipedia: http://en.wikipedia.org/wiki/1975_Philadelphia_Refinery_Fire
Ventilation systems and relief systems and general description of safety systems	Necessary for plant safety during an incident and should indicate the type of shutoff controls and their locations
The plant should have a periodic safety review by one or more of the following techniques: What if Checklist What if/checklist Hazard and operability study (HAZOP) Failure mode and effects analysis (FMEA) Fault tree analysis An appropriate equivalent methodology	These are methods of assessing the safety and security of the plant and its operations
Operating procedures	Required for guard force and security operations. This does not necessarily include the guidance for the operators but should be a well-thought-out set of routine and emergency instructions to the guard force
Operating procedures	Note: The instructions should not just simply say: “Contact the Dispatch or control center for instructions,” but should be detailed enough to permit the guard force to participate in the resolution of the emergency
Written action plans and training	While the OSHA PSM standard applies more thoroughly to the plant, a comparable level of planning and training should be given to the guard force with thoughts toward their utilization during an incident whether it be a security breach or a major plant conflagration
Refresher training	The training should be updated annually and should be thoroughly documented
Security procedures should include contract labor, as well as new employees	Contractors in the plant may represent a unique hazard, as they are not vetted to the same extent as plant employees
	New employees, especially those in critical positions, should be copilot trained until their activities and reliability can be assured
The procedure for this is described in one of the award winning master’s theses from the Naval Postgraduate School Center for Homeland Defense and Security. The program consists of copiloting new employees with different experienced and trusted personnel who will also conduct their reviews and evaluations. The program was titled “No Open Doors”
Permit enforcement within the plant	Items such as hot work, lockout/tagout, confined space, etc. are critical to safe operation of any facility. The question of who issues and enforces the permits must be addressed with plant security as well as operations. Normally, the security force is not included in this operation
Incident investigation	A member of the security force should be on the team that investigates all plant incidents and accidents
Shipping and receiving (trade)	The security force should be heavily involved in monitoring warehouse and shipping and receiving operations, not only to prevent theft, but also for vessel and vehicle security
Normally unoccupied and remote facilities	This represents a special challenge to the security force as well as to operations because the possibility of sabotage or outside attack on these facilities is low risk for the attacker and has a high probability of success
Dangerous goods/radioactives/and other storage areas	While these are routinely a part of the warehouse operations, special precautions may be required for storage areas, magazines, and other facilities that handle highly energetic compounds and/or radioactive materials because of the specialty licensing requirements
Waste disposal	Security should also be involved in waste disposal operations as a precaution, not only to prevent loss, but also to prevent acts of sabotage or explosives from being smuggled into the plant
Emergency response operations	During a plant incident, the various roles of fire, emergency, ambulance, other support and external services, as well as internal plant operation departments are called into service. Plant security plays a critical role in this emergency, providing coordination and control services, admitting personnel to the plant, excluding unwanted or unnecessary personnel, and communicating with outside services that may be required to provide an evacuation of the facility or the community. These areas should be addressed in the plan

ALOHA, CAMEO, and Security Planning Tools

The CAMEO suite is for computer-aided management of emergency operations. It is available free of charge as a download from the US Environmental Protection Agency. The website is http://www2.epa.gov/cameo/what-cameo-software-suite. It consists of several tools that are useful in planning for emergencies. CAMEO was developed from ARCHIE, an old and now out-of-date computer program developed for emergency response. The CAMEO suite includes several programs.

The CAMEO database includes a database and information management tool that will assist US facilities in the preparation of their data management and reporting requirements under the Emergency Planning and Community Right to Know Act, which affects US facilities only.

CAMEO chemicals includes chemical response datasheets and a reactivity prediction tool that has UN/NA datasheets providing information on health hazards, physical properties, air and water hazards, spill response, and firefighting recommendations. The information base for much of the material is from the Emergency Response Guidebook and the Hazardous Materials Table (49CFR172.101). The program also allows one to mix chemicals and predict the reactions (http://www.cameochemicals.noaa.gov). The file is about 43 meg and is available for handheld computers and is accessible online.

MARPLOT is a mapping application. Because the CAMEO suite was developed by the USEPA, the mapping database accompanying the program is primarily for US cities, but it is applicable worldwide. The MARPLOT program allows the user to enter local mapping that may include schools, property lines, etc. and then see the generated data.

ALOHA is the Areal Locations of Hazardous Atmospheres, and it includes dispersion modeling programs that the user can control. In order to use the program, one needs to know something about air dispersion modeling. The user can control atmospheric conditions for the modeling, including horizontal mixing. It will also model dense gas dispersion. The user can, within very broad limits, set and control the materials of release and the type of release, and the program will model fireballs, gas releases, etc. One can set the type of tank, whether it is full or empty, horizontal or vertical, under pressure, and partially full or full. The program will allow the user to map the hazard areas associated with the release. It is designed to provide emergency information for planning purposes and first responders. We have used this in a large number of applications for planning purposes and have found it excellent!¹⁶ The program models single- and two-story buildings and allows the user to set the number of air changes per hour in the building.

The Colored Books

The EU has come up with a number of manuals on reliability and security. These were prepared under the auspices of the European Union Economic Commission for Europe (EUECE).

The colored books are so named by the color of their jackets.

The first of the colored books really has no color at all. It was prepared by the EUECE and is titled as follows.

Generic Guideline for the Calculation of Risk Inherent in the Carriage of Dangerous Goods by Rail

This guideline and as such it includes a discussion of the movement of dangerous goods by rail, and it has a good discussion on the subject of risk assessment of rail movement and accident rates for transportation incidents.

The Orange Book: Management of Risk—Principles and Concepts

The Orange Book is accurately titled with regard to its contents. It is relatively short weighing in at 52 pages, but it discusses all of the major concepts involved in risk management, although not in the detail covered in this book. The book is published by the Royal Treasury in the United Kingdom and is available for free download: https://www.gov.uk/government/publications/orange-book.

The opening lines of the Orange Book recommend that it be read in conjunction with the Green Book (which will be discussed in following paragraphs). The Orange Book lays out the general principles of risk management and has several unique observations:

“The management of risk is not a linear process; rather it is the balancing of a number of interwoven elements which have to be in balance with each other if risk management is to be effective. Furthermore, specific risks cannot be addressed in isolation from each other; the management of one risk may have an impact on another, or management actions which are effective in controlling more than one risk simultaneously may be achievable.”
“There is no single right way to document an organization’s risk profile, but documentation is critical to effective management of risk.”
There are two different phases of risk identification:
- Initial risk identification (for an organization that has not previously identified its risks in a structured way, or for a new organization, or perhaps for a new project or activity within an organization).
- Continuous risk identification is necessary to identify new risks that did not previously arise, changes in existing risks, or risks that did exist ceasing to be relevant to the organization (this should be a routine element of the conduct of business).
Risks should be related to objectives.
“Individual risks which an organization identifies will not be independent of each other; rather they will typically for natural groupings…. It is important not to confuse the grouping of risks with the risks themselves…. All risks once identified, should be assigned to an owner who has responsibility for ensuring that the risk is managed and monitored over time.”
Important risk assessment principles include:
- Insuring that a clearly structured process identifies both the likelihood and the impact for each considered risk
- Recording and documenting risk considerations in a manner that can facilitate identification and monitoring of the risk priorities
- Clarity in describing the difference between inherent and residual risk¹⁷
Risk management can be dealt with by (i) toleration, (ii) treatment, (iii) transferring, or (iv) termination of the risk elements.
Recommendations include monitoring of the risk profile, performing risk review annually, and making provisions to alert management to changing (increasing) levels of risk.
Much of the risk assessment is focused on financial risk (where it needs to be), but the principles are primarily relating to those dealing with accounting practices, and the document relies on Risk Management Guidance and the Mullarkey Report (2003) on risk assessment that is generally unavailable because it has been institutionalized.
A copy of parts of the Mullarkey Report is available from the Government of Ireland, Government Accounting Section, Department of Finance, March 2004, Risk Management Guidance for Government Department and Offices.
The guidance document cited in the preceding paragraph uses a risk register, which is a guidance document summarizing risk including categories for a brief description of the risk item; the division to which it is assigned; the policy or strategy number; a numeric ranking for likelihood, impact, and control effectiveness; a rating number that is obtained by multiplying the three rankings together; a brief statement of consequences; measures to address; additional actions; and finally the owner of the issue (person responsible for minimizing the risk). In short, it similar to the type of table used in a bow-tie analysis that is pinned to a division and an owner of the risk.
One other document used in the United Kingdom is the HM Treasury Risk Management Assessment Framework: A Tool for Departments (July 2009). The document takes a slightly different approach to the Mullarkey principles but provides a comprehensive and thorough discussion for review.

The Green Book: Methods for the Determination of Possible Damage to People and Objects Resulting from Release of Hazardous Materials, CPR-16E

This document has seven chapters in 337 pages. The chapters address (1) damage caused by heat radiation, (2) the consequences of explosion effects on structures, (3) the consequences of explosion effects on humans, (4) survey study of the products that can be released during a fire, (5) damage caused by acute intoxication, (6) protection against toxic substances by remaining indoors, and (7) population data.

Chapter 1 of the Green Book deals with the effects of heat radiation and has useful curves and data and formulas on burn/exposure data for exposed skin and clothing ignition from various sources. The first chapter on radiation damage also considers the radiation values for ignition of building materials, softening steel members, and the formulas for the evaluation of these cases.

The limiting value for third-degree burns varies between 125 and 140 kJ/m², for durations of 1–35 seconds. For second-degree burns, the minimum value is between 30 kJ/m² at about 3 seconds and about 75 kJ/m² at 30 seconds for guidance. The formula for determining the degree of burn based on a heat exposure and time is complex and involves error function curves and higher mathematics. There is also a good discussion on pool fires and fireball (BLEVE) explosions. As such, it is useful for planning purposes but extremely complex and perhaps unusable in an emergency situation without substantial evaluation and applications.

Chapters 2 and 3 of the Green Book deal with blast effects and loadings, are excellent, and have many useful tables and graphs on the calculation of blast effects on a building and upon humans. There is also a substantial section on the extremely complex subject of the building response to blast and shock loadings. The analysis is quite detailed on the subject of natural periodicity of buildings in response to shock loadings.

There is also a section on the empirical data of blast loadings and effects: on buildings, pressure loadings on the order of the following will create significant damage.

Damage level	psi	kPa
Total destruction of structure	>12	>83
Heavy damage	>5	>35
Moderate damage	>2.5	>17
Minor damage	>0.5	>3.5

There is also a useful gauge that compares the relative damage levels and difference between English- and US-built homes, where the English homes are generally brick built, and it generally follows the information outlined immediately above, but it is interesting to observe that comparable low level pressure events on US-style homes appear to cause less damage than in brick-built homes. This is believed due to the difference in building materials where US homes tend to use more wood. The appendices to the chapter on the effects of explosions on buildings contain a number of good models for additional mathematical analysis.

Chapter 3 of the Green Book principally deals with the effects of blasts on human populations, including the effects of explosions and flying debris such as glass on the body and on the skin. Part of the chapter deals with the crushing of organs and lungs due to the explosive force and internal damage of people in the vicinity of an explosion. Overall, the material is quite detailed and quite useful.

Chapter 4 of the Green Book concerns itself with the effects of damage caused by combustion products and particularly those that have organics and chlorine compounds. As such, there is a good bit of information on the formulation of combustion products that result in the formation of polychlordibenzo-p-dioxins and other polychlorinated compounds. The information on combustion by-products is both useful and timely with regard to planning for any incidents.

Chapter 5 of the Green Book deals with the effects of acute intoxication. But the title is misleading. The chapter does not deal with alcoholism but deals with inhalation of toxic substances. As such, it provides an excellent guide to the subject of inhalation. It is not as comprehensive as the NIOSH Pocket Guide to Hazardous Chemicals, but it is good.¹⁸ The personal preference is for the NIOSH guide because it is both available on PDF and is designed for handheld computers.

Chapter 6 of the Green Book discusses the protection against toxic substances by remaining indoors. The relative effect of protection is dependent upon a number of factors, including wind speed, concentration in the toxics cloud, insulation of the building, ventilation rate of the structure, absorption of the hazardous materials, particle or molecule size, and other factors. It cites the idea that most residential structures have a ventilation rate of 0–0.5^−h so that the protection factor can be preliminarily assessed as equal to 2.0 for a hazardous emission duration of 1 hour or less. The detailed information is presented in a form that will enable the sheltering capabilities of residences and structures. While this information is useful in the planning stage, it may be too complex to use in an emergency response situation, and much of the information is covered in the ALOHA program. The chapter does contain a series of very good graphs indicating concentration reduction curves from a temporary source with relative ventilation rates for residential and other buildings and tables that allow one to calculate their relative protection factors from various types of releases.

Chapter 7 of the Green Book presents planning data on population densities. The information is useful, but a cautionary note should be sounded with regard to different densities in various countries. In the United States and Canada, land use planning data are available, and they may provide a more accurate guide for the existing populations in the vicinity of a plant or facility. The data in Chapter 7 is excellent but of necessity in general. Land use planning data from various governmental agencies may provide more accurate pictures of local population densities and is certain to provide a more recent picture that is influenced by regional differences.

The Yellow Book: Methods for the Calculation of Physical Effects due to the Releases of Hazardous Materials (Liquids and Gases), CPR-14E

This book is massive at 870 pages but fortunately available in PDF. The opening paragraph in user instructions sets the tone for the book:

The educational design provides a framework according to which this version of the Yellow Book has been structured…the Yellow Book starts with a section on outflow and spray release (Chapter 2), then addresses evaporation (Chapter 3) and dispersion (Chapter 4), before addressing several other specific aspects, such as vapor cloud explosion (Chapter 5), heat load (Chapter 6), and rupture of vessels (Chapter 7). Finally a section on interfacing related models (Chapter 8) illustrates how to proceed in applying a sequence of models in estimating physical effects according to a few selected scenarios.

The Yellow Book goes into numerical modeling of various types of releases, including sprays and vapors, and has advice on the topics of dense gas modeling and modeling evaporation from a pool and a pool fire. It is the type of book that a chemical engineer uses to calculate mathematical effects, and one needs a sound foundation in heat transfer, thermodynamics, engineering, and some familiarity with atmospheric dispersion modeling in order to use this book properly. It is literally overwhelming in the amount of details provided and required to create models of the various types of releases. Of particular interest is Chapter 7, which deals with tank ruptures and blasts. This chapter also addresses the subject of blast projectiles and tank fragments that might be released during a tank rupture scenario.

The Red Book: Methods for Determining and Processing Probabilities, CPR-12

This is really a book about applied statistics and risk assessment. As such, it covers many of the topics addressed in this book but in significantly greater mathematical detail. It addresses topics such as mean time between failures (MTBF), FTA and event tree analysis, Markov chains, accident sequence development and quantification, as well as detailed discussions on statistics and computation and reliability theory. Of particular interest are Chapters 16 and 17, which deal with reliability availability maintenance and reliability-centered maintenance, with practical guides to establishing the mathematical basis for the programs and suggestions for establishing tenders for the program if conducted by outsiders. Overall, the book is excellent and informative.

The Purple Book: Guidelines for Quantitative Risk Assessment, PGS 3

Special note: Many industries may encounter problems in applying the quantitative risk assessment procedures because the focus of the assessments ultimately is in fatalities per year. (This is often referred to as the probit function.) From a liability standpoint, US-based corporate executive would not consider designing or evaluating a system in terms of the number of deaths per year because the aggressive legal culture in the United States would indict him and his company on criminal negligence charges.

The analysis of the Purple Book is a bit more comprehensive than the other colored books because of its relevance to the overall topics of security. The approach taken in the Purple Book is slightly different from the standpoint of risk assessment. Performing a quantitative risk assessment is a lot of work and requires detailed analysis of the entire facility, and it could require several hundred to several thousand man-hours of effort. The EUECE and the UK Competent Authority (Health and Safety Executive in the United Kingdom) have developed a screening test to determine whether or not a specific facility would require a comprehensive QRA.

The need for the QRA is based on a screening value S derived by computing the boundary distances between the operating portions of the plant and the plant fence line. The guideline values are determined by the following set of calculations.

First, criteria are set for excluding substances from the risk assessment guidelines to reduce the potentially large number of sites:

Physical form of the substance
Substances in solid form such that under both normal conditions and any abnormal conditions that can be reasonably foreseen, a release of matter or of energy, which could create a major accident hazard, is not possible
Containment and quantities
Substances packaged or contained in such a fashion and in such quantities that the maximum release possible under any circumstances cannot create a major accident hazard
Location and quantities
Substances present in such quantities and at such distances from other dangerous substances (at the establishment or elsewhere) that they can neither create a major accident hazard by themselves nor initiate a major accident involving other dangerous substances
Classification
Substances that are defined as dangerous by virtue of their generic classification in Annex I, Part 2, of Council Directive 96/82/EC but that cannot create a major accident hazard and for which therefore the generic classification is inappropriate for this purpose

The next step is to subdivide the installation or plant into subunits and calculate an A number for the subunit. The number A is calculated by

where Q is the quantity of the substance present from a list in Section 2.3.2.1 of the document, O₁–O₃ are factors for process conditions described in Section 2.3.2.2, and G is the limiting quantity as described in Section 2.3.2.3.

The O₁ factor is either 1 or 0.1 depending if the quantity is in process or in storage.

The O₂ factor is defined in the following table:

Positioning	O₂
Outdoor installation	1.0
Enclosed installation	0.1
Installation situated in a bund and a process temperature T_p	0.1
Less than the atmospheric boiling point T_bp plus 5°C, that is, T_p ≤ T_bp + 5°C
Installation situated in a bund and a process temperature T_p	1.0
More than the atmospheric boiling point T_bp plus 5°C, that is, T_p > T_bp + 5°C	1.0

And the O₃ factor is dependent upon process conditions as follows:

Phase	O₃
Substance in gas phase	10
Substance in liquid phase
Saturation pressure at process temperature of 3 bar or higher	10
Saturation pressure at process temperature of between 1 and 3 bar	X + Δ
Saturation pressure at process temperature of less than 1 bar	P_i + Δ
Substance in solid phase	0.1

X = 4.5 × saturation pressure (bar) − 3.5, and P_i is the partial pressure (bar) at the operating or processing temperature.

Δ is for liquids and is dependent upon boiling point of the liquid given below:

	Δ
−25°C ≤ T_bp	0
−75°C ≤ T_bp < −25°C	1
−125°C ≤ T_bp < −75°C	2
T_bp < −125°C	3

Finally, the limit value G is based upon the toxicity of the materials as shown below:

LC₅₀ (rat, in h, 1 h) (mg/m³)	Phase at 25°C	Limit value (kg)
LC ≤ 100	Gas	3
	Liquid (L)	10
	Liquid (M)	30
	Liquid (H)	100
	Solid	300
100 < LC ≤ 500	Gas	30
	Liquid (L)	100
	Liquid (M)	300
	Liquid (H)	1000
	Solid	3000
500 < LC ≤ 2000	Gas	300
	Liquid (L)	1000
	Liquid (M)	3000
	Liquid (H)	10,000
	Solid	∞
2000 < LC ≤ 20,000	Gas	3000
	Liquid (L)	10,000
	Liquid (M)	∞
	Liquid (H)	∞
	Solid	∞
LC > 20,000	All phases	∞

With the additional caveat that flammable substances should not exceed a G value of 10,000 kg and explosive substances equal to or less than 1000 kg of TNT equivalent.

The A numbers are summed for different processes, toxics, explosives, and flammable substances, and then a screening number is developed at eight different locations around the perimeter of the facility. The screening number is of the form

where N is 2 for toxics and N is 3 for flammables and explosives. L is the distance from the installation to the specific location in meters, with a minimum value of L = 100. The selection number has to be calculated for every installation at a minimum of eight locations on the boundary of the establishment, with a minimum distance of 50 m between each selection point. If the establishment has a boundary on the water, then the S value must be calculated on the bank side opposite the establishment.

Selection criteria for performing a QRA

The need for performing a comprehensive QRA is dependent upon the determined values for S at the facility. The QRA is required if:

The selection number of an installation is larger than one at a location on the boundary of the establishment (or on the bank side situated opposite the establishment) and larger than 50% of the maximum selection number at that location.

The selection number of an installation is larger than one at a location in the residential area, existing or planned, closest to the installation.

There are additional conditions specified for pipelines in the Purple Book that address gas and liquid pipelines and the hazard they can pose.

The Purple Book includes a number of data points for tanks and pipelines that are useful in determining the risk levels for loss of containment for industrial operations. Selected risk levels for loss of containment are shown below. For additional detail, see the Purple Book.

Loss of containment statistics for selected process equipment

Special note: The probabilities expressed below have a factor of safety already built in, and there is a caution in the Purple Book that the cumulative probability of loss of containment should never exceed 10⁻⁶ per year.¹⁹

Tanks and vessels
	Instantaneous	Continuous 10 minutes	Continuous >10 minutes
Pressure vessel	5 × 10⁻⁷ y⁻¹	5 × 10⁻⁷ y⁻¹	1 × 10⁻⁵ y⁻¹
Process vessel	5 × 10⁻⁶ y⁻¹	5 × 10⁻⁶ y⁻¹	1 × 10⁻⁴ y⁻¹
Reactor vessel	5 × 10⁻⁶ y⁻¹	5 × 10⁻⁶ y⁻¹	1 × 10⁻⁴ y⁻¹
Atmospheric tanks
Single containment	5 × 10⁻⁶ y⁻¹	5 × 10⁻⁶ y⁻¹	1 × 10⁻⁴ y⁻¹
Full containment	1 × 10⁻⁸ y⁻¹	1.25 × 10⁻⁸ y⁻¹	1 × 10⁻⁴ y⁻¹
Pipes
	Rupture	Leak
Diam < 75 mm	1 × 10⁻⁶ m⁻¹y⁻¹	1 × 10⁻⁶ m⁻¹y⁻¹
75 < diam < 150 mm	3 × 10⁻⁷ m⁻¹y⁻¹	2 × 10⁻⁶ m⁻¹y⁻¹
Diam > 150 mm	1 × 10⁻⁷ m⁻¹y⁻¹	5 × 10⁻⁷ m⁻¹y⁻¹
Pump catastrophic failure		Pump leak
Pumps without additional provisions	1 × 10⁻⁴ y⁻¹	5 × 10⁻⁴ y⁻¹
Pumps with steel containment	5 × 10⁻⁵ y⁻¹	2.5 × 10⁻⁴ y⁻¹
Canned pumps	1 × 10⁻⁵ y⁻¹	1 × 10⁻⁵ y⁻¹

There are a number of other tables on heat exchangers, releases of dusts and powders in or outside warehouses, and road or tanker vehicles and for shipping. The Purple Book also contains many of the formulas and guidance for the application of those formulas found in the other colored books.

Sample outline for emergency response

Based upon our combined long experience in dealing with security and incidents, we have prepared an outline for an emergency response plan that should address many of the concerns of the regulatory agencies and should be highly useful to plant and security personnel (Table 7.5).

Table 7.5 Outline of emergency response plan for a typical facility

Outline of emergency response plan for a plant
Introduction and signatures	Probably about two pages that include authorized signatures providing a brief introduction of when the plan is to be used
Plan review and reauthorization	One page showing dates where plan was reviewed and which changes were made to phone numbers and pages and other pertinent factors. Recertification of the adequacy of the plan is required in the United States for spill prevention control and countermeasure plans by a professional engineer every 3 years
RED tab section	This section should be on red border paper
Note: The purpose of this section is to centralize the notifications required in case assistance is needed and not to have the security or guard force march down the list calling everyone	Contents should include:
Calls should be made by the plant manager or his designated representative as needed or required by laws	Local emergency contact information both internal and external to the plant
Note 2: In the case of the hospital and ambulance service and the fire department, it is strongly recommended that the services should have a copy of the plan and be familiar with the plant. The hospital may need additional information about the possibility of contaminated victims coming in by ambulance, as the victims can contaminate the ambulance and/or the hospital emergency room	Emergency services
	Fire department
	Hospital and ambulance
	Plant manager
	Regional or area managers and supervisors who work in the plant
	Public relations department
	Support services such as man power for additional help with spill control and cleanup
	Plant contractor
	Regulatory and government officials including local environmental protection agency and/or state police
	Other company officials as required
	Plant maps
	General facility layout
	Location of spill control and firefighting facilities
	Inventory of firefighting equipment available
	Location of personal protective equipment and quantities
	Plant sewer system
	Size and location of tanks or flammable materials storages
	Topographic map of the facility
Emergency evacuation plans	This should be a worked-out section of multiple events for worst-case disasters and should include emergency evacuation areas and populations in the vicinity of the plant
	It should also show the reassembly areas for plant personnel in case of an evacuation, fire, or explosion
	Ideally, this section would contain contingency plans for several worst-case scenario events, including spills, explosions, vapor clouds, etc.
Regulations and regulatory compliance	This section should demonstrate compliance with appropriate environmental regulations regarding spills, releases, and incidents
Environmental contamination and mitigation information	This section should contain information on the plant wastewater treatment system, the local sewer, and the local sewerage treatment plant, including appropriate contacts for pollution control limits
Cleanup and disaster remediation and repair facilities and resources	In the event of a spill to waterways, booming and cleanup supplies might be needed. Find a contractor with supplies that are immediately available
	In the event of a fire, which contractors are good at repairing damage to the plant and rebuilding the plant
	In the event of a release to the surface or the groundwater, which companies and contractors can be counted on to provide remediation services on a cost plus basis
	Note: Especially with contract labor, it is a good idea to have a contract for services in place at agreed-upon pricing, as the multiplier for services, especially in an emergency, may be significantly higher than the normal consulting or contracting rates. The same is true for supplies but to a lesser extent
Security guidance and activities during and after an incident	This should be a plan that highlights the role of the security and guard force during a plant emergency. The plan should include plant border control, who to let in, which procedures to follow, and what must be maintained at all times
Results and lessons learned from periodic tabletop and actual emergency response exercises	This section should contain summaries and recommendations from previous emergency fire drills, spill drills, and other emergency exercises. The preferred method is to present the improvement recommendations without a timetable for their implementation. Also be careful about providing detailed information about the failures from the exercises. Improvement projects in a plant environment can be delayed, schedules change. If past failures and planned improvements are discussed, they will provide a Regulatory Inspector with a roadmap to the problem areas, and that may effectively prepare a record of past failures which can be used against the plant in a legal or regulatory proceeding.

General note: When discussing the plant and improvements, it is imperative that only activities that are currently implemented are mentioned. Too many times, we have seen the idea that the preparation of the emergency plan, spill plan, or other document is a way of training the new engineer or employee. As a consequence, that employee will often make comments about what should be in place to improve plant performance in a particular area. Often, those improvements are not implemented, and the “hungry” regulator who is looking for reasons to fault the plant can seize upon the “incriminating promise” statements as proof that the plant is lax in the area of protection of its employees, the surrounding population, or the environment, especially if the problem or emergency was in one of the areas where “promised improvements” were never installed.

Notes

6 There are two international standards dealing with the Markov approach. Both are found in the literature of the International Electrical Code, or IEC. The standards are IEC 61165 and IEC 61508. IEC 61165 provides guidance on the application of Markov techniques to dependability analysis. IEC 61508 has revitalized the need for Markov analysis due to the standard requirement to analyze different failure modes, ranging from failed safe, detected to failed dangerous, undetected. The IEC 61508 deals with the reliability of electrical subsystems. It is broken down into seven different parts which can be directly applied to security systems and subsystems. These can be directly applied to security systems and subsystems.
Markov chain analysis software includes SHARPE® and MKV. Version 3.0 (Markov Analysis Software). See http://theriac.org/DeskReference/viewDocument.php?id=95 for a description of the programs.

7 There are a number of commercial programs and books on Bayesian networks. Some of the programs require annual licenses, and some are outright purchases. The book Risk Assessment and Decision Analysis with Bayesian Networks by Fenton and Neil (CRC Press) is an excellent and highly recommended reading. The authors have developed a program for BN analysis called AGENA, which is supported by the www.agena.co.uk website. The program is AgenaRisk, and according to current quotations, it is licensed at about £1200 per year (2013 pricing as per their website). There is a limited version that is available if one buys the book and a more highly limited version available for free on the website.
A number of other books and programs are available for using BN. Those include WinBUGS, a free statistical program from the GNU project, and R, which is also a free software as part of the GNU project. Both are capable of completing the calculations required for BN, but the graphical interface may not be as good as that available with AgenaRisk.
The subject of Bayesian network analysis is quite complex and that the calculations are best performed by a computer, but the information obtainable about the levels of risk based on posterior analysis from marginally related events makes the analysis worthwhile. A brief sample of such an analysis is presented in the text.

1. 29 CFR 1910.119, Process Safety Management of Highly Hazardous Chemicals; Final Rule; February 24, 1992, Federal Register Vol. 57, No. 36, pp. 6356–6417.
2. OSHA Instruction CPL 2.45B, June 15, 1989, the Field Operations Manual (FOM).
3. OSHA Instruction STP 2.22A, CH-2, January 29, 1990, State Plan Policies and Procedures Manual.
4. OSHA Instruction CPL 2.94, July 22, 1991, OSHA Response to Significant Events of Potentially Catastrophic Consequence.
5. OSHA Instruction ADM 1-1.12B, December 29, 1989, Integrated Management Information System (IMIS) Forms Manual.
6. OSHA 3133, “Process Safety Management” Guidelines for Compliance.

1. A vessel or tank consists of the vessel (tank) wall and the welded stumps, mounting plates, and instrumentation pipes. The loss of containment (LOC) covers the failure of the tanks and vessels and the associated instrumentation pipework. The failure of pipes connected to the vessels and tanks should be considered separately.
2. The failure frequencies given here are default failure frequencies based on the situation that corrosion, fatigue due to vibrations, operating errors, and external impacts are excluded. A deviation of the default failure frequencies is possible in specific cases.
  - A lower failure frequency can be used if a tank or vessel has special provisions additional to the standard provisions, for example, according to the design code, which have an indisputable failure-reducing effect. However, the frequency at which the complete inventory is released (i.e., the sum of the frequencies of the LOCs, G.1 (instantaneous) and G.2 (continuous, 10 minutes)) should never be less than 1 × 10⁻⁷ per year.
  - A higher frequency should be used if standard provisions are missing or under uncommon circumstances. If external impact or operating errors cannot be excluded, an extra failure frequency of 5 × 10⁻⁶ per year should be added to LOC G.1, “instantaneous,” and an extra failure frequency of 5 × 10⁻⁶ per year should be added to LOC G.2, “continuous, 10 minutes.”
  - See the Purple Book Page 27 of 237 Section 3.3 Table 3.3 Frequencies of LOC for Stationary Vessels.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 7:

Create new playlist

Sign In

Sign Up

Introduction

FTA, Markov Chains, and Monte Carlo Methods

Fuzzy fault trees

Markov chains and Bayesian analysis

Other Complimentary Techniques

Fishbone (Ishikawa) diagrams

Example

Pareto charts

Sample of Initial Analysis

Supply problems

Examples of the foregoing include:

Failure Modes and Effects Analysis

DHS Analysis and Plans

Bow-tie Analysis

Example

HAZOPS and Process Safety Management

Process safety information: General

PHA and HAZOPS

Consequences to be considered

ALOHA, CAMEO, and Security Planning Tools

The Colored Books

Generic Guideline for the Calculation of Risk Inherent in the Carriage of Dangerous Goods by Rail

The Orange Book: Management of Risk—Principles and Concepts

The Green Book: Methods for the Determination of Possible Damage to People and Objects Resulting from Release of Hazardous Materials, CPR-16E

The Yellow Book: Methods for the Calculation of Physical Effects due to the Releases of Hazardous Materials (Liquids and Gases), CPR-14E

The Red Book: Methods for Determining and Processing Probabilities, CPR-12

The Purple Book: Guidelines for Quantitative Risk Assessment, PGS 3

Selection criteria for performing a QRA

Loss of containment statistics for selected process equipment

Sample outline for emergency response

Notes

Table of Contents for
Chapter 7: